Michigan is one of many states working to pass laws that protect residents' privacy rights and outline businesses' responsibilities when handling individuals' personal information.

This article will take you through what the Michigan Personal Data Privacy Act is, who it applies to, the steps you can take to ensure compliance with the law, and penalties for noncompliance.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is the Michigan Personal Data Privacy Act?

The Michigan Personal Data Privacy Act (PDPA) is a data protection bill that was introduced in September 2022. The bill is designed to protect Michigan consumers' personal data by setting standards for how businesses treat the personal information they collect and process. Under the PDPA, applicable organizations that violate the law will face harsh financial penalties.

Who Does the Michigan Personal Data Privacy Act (PDPA) Apply to?

Who Does the Michigan Personal Data Privacy Act (PDPA) Apply to?

The PDPA protects the privacy rights of anyone who lives within the state of Michigan. It applies to any individuals or organizations that:

  • Do business within the state of Michigan or provide products or services to Michigan residents, and
  • Control or process personal data belonging to 100,000 or more Michigan consumers, or
  • Control or process personal information belonging to 25,000 Michigan consumers, and get more than 50% of their annual revenue from selling personal information

Personal data is any information that can be used to identify an individual, but does not include de-identified data (information that has had identifying elements removed) or information that is available to the public.

Sensitive data is a category of data that includes race, religious beliefs, health diagnoses, sexual orientation, citizenship status, identifying genetic data, children's personal data, precise geolocation data, ID numbers, and certain financial and login information.

Data controllers are those who decide how and why to process personal data.

Processing data refers to any action taken on collected data, such as collecting, using, storing, disclosing, analyzing, editing, or deleting data.

Section 3 of the text of the PDPA describes the types of organizations that the bill applies to:

Michigan PDPA Section 3: Who the bill applies to

Exemptions

The PDPA does not apply to organizations that are subject to the 0, the Health Insurance Portability and Accountability Act (HIPAA), or the Fair Credit Reporting Act. It does not apply to state agencies, higher education institutions, or nonprofit dental corporations.

What Does the Michigan Personal Data Privacy Act Require?

What Does the Michigan Personal Data Privacy Act Require?

The PDPA requires applicable organizations to fulfill certain obligations, including:

  • Only collecting personal data that is essential to their business's needs
  • Keeping the personal data they collect secure
  • Notifying third parties when a consumer opts-out of having their personal data processed
  • Getting consent from consumers before processing their personal data
  • Conducting data protection impact assessments when processing certain types of data
  • Making sure third-party data processors meet the PDPA's data protection standards
  • Ensuring that data brokers register with the Attorney General

How to Comply With the Michigan Personal Data Privacy Act

There are several steps you can take to make sure that you are in compliance with the PDPA. Let's take a look at what you can do now to get your business PDPA-ready.

Publicly Post Your Privacy Policy

To comply with the PDPA you will need to maintain a clearly written, up-to-date Privacy Policy on your website and apps. Your Privacy Policy should include the following clauses:

  • What types of personal data you collect
  • How you keep the data you collect secure
  • Your reasons for processing consumers' personal data
  • How consumers can exercise their rights
  • How consumers can appeal your decisions regarding their rights
  • What types of personal information you share with third parties
  • What third parties you share personal information with
  • Whether you sell personal data
  • Whether you use personal data for targeted advertising

You should also let consumers know that as long as you get their consent and keep their data secure, you may use the personal information you collect for research purposes in order to develop, repair, or improve your products or services.

Section 7 of the PDPA describes the clauses that should be included in your Privacy Policy:

Michigan PDPA Section 7: What to include in a Privacy Policy

Give Consumers a Way to Exercise Their Rights

The PDPA requires you to provide consumers with accessible, no-cost methods for exercising their rights and submitting requests concerning their personal information. A simple way to do this is by including links to these methods within your Privacy Policy.

For example, Domino's Pizza provides links and instructions for consumers to opt out of internet-based advertising within its Privacy Policy:

Dominos Pizza Privacy Policy: Opt out choices

Collect Only Essential Data

The PDPA requires companies to only collect information that is absolutely necessary to their business's operations. For instance, you may need to collect a user's email address in order for them to create an account with your company. Another example is if you have an ecommerce site, then you would need to collect financial and shipping information in order to complete a sale.

Bell's Brewery's Privacy Policy lets consumers know that it collects and processes personal data for the purposes it describes, and that it will not use the data it collects for other purposes unless it gets consumer consent:

Bells Brewery Privacy Policy: How we use personal information section

The Coffee Beanery's Privacy Policy explains that it uses the personal data it collects to fulfill orders, communicate with customers, protect consumers from fraud, and for targeted advertising:

Coffee Beanery Privacy Policy: How do we use your personal information clause

Keep Data Secure

You will need to ensure that you are doing everything you can to keep the data you collect and process secure. Your data protection practices could look like having security cameras and guards in place at the physical locations where the servers that hold the information you collect are located, training your staff on how to keep any data they handle safe, and making sure there are security measures (such as anti-malware software) in place on your website and apps.

Carhartt's Privacy Policy explains that it uses a combination of administrative, technical, and physical methods to keep users' personal information safe.

Carhartt Privacy Policy: How we protect personal information clause

It's a good idea to get consumers' consent to process their personal information before you collect it. Providing consumers with consent options prior to processing their personal information can help you to comply with the PDPA.

One of the simplest ways to get consumers' agreement to allow you to collect and process their information is by adding a checkbox to your website's data collection pages, with a statement saying that they have read and agree to your Privacy Policy and Terms and Conditions.

Hungry Howie's Pizza requires customers to tick a box stating that they agree to its Global Terms of Use, Privacy Statement, and California Privacy Statement before placing an order:

Hungry Howies Pizza: Submit Order page with Agree to Terms and Privacy Statement checkbox highlighted

Give Consumers the Choice to Opt Out

The PDPA requires organizations to only collect and process personal information that is absolutely necessary to their operation, and to inform consumers if they decide to use the data for any other purposes in the future.

You should give users a way to opt-out of having their personal data collected or processed for any reasons other than the purposes they initially agreed to.

Section 7 of the text of the PDPA explains that data controllers must give consumers the opportunity to opt-out of having their data used for additional purposes.

Michigan PDPA Section 7 b: What to include in a Privacy Policy

The Interest-Based Advertising section of Ford's Privacy Notice goes into detail about how consumers can opt-out of having their personal information collected for targeted advertising purposes, including through industry-wide opt-outs and mobile device and browser settings:

Ford Privacy Policy: Interest-Based Advertising section

Another important element of the PDPA is its requirement that you notify third parties and data processors if a consumer chooses to opt out of having their personal data processed.

Section 7 of the PDPA explains that you must let third parties know if a consumer opts-out of the processing of their personal data:

Michigan PDPA Section 7 h: What to include in a Privacy Policy

Conduct Data Protection Impact Assessments as Needed

A data protection impact assessment is an audit that helps your business to identify and take action to decrease privacy risks that are associated with handling consumers' personal information.

The PDPA requires organizations that deal with specific types of personal data to conduct and document data protection impact assessments to keep the information they process secure.

Any applicable organization that meets the following criteria will need to do data protection impact assessments:

  • Processes data to be used for targeted advertising
  • Sells personal data
  • Processes personal data for profiling that could result in unfair treatment of, harm or injury to, or invasion of privacy of consumers
  • Processes sensitive data

Section 11 of the PDPA describes the circumstances in which a data protection impact assessment is called for:

Michigan PDPA Section 11: Data Protection Impact Assessment

Choose Aligned Third-Party Data Processors

Privacy by design is a concept that means that you intentionally create a business in which the entire system is designed to protect consumers' privacy. That means that every move your business makes prioritizes consumers' privacy rights.

Choosing third-party data processors that follow similar privacy protection practices is a good way to implement privacy by design within your business relationships and help you to comply with the PDPA.

You should make sure that you contract with third-party data processors that meet the standards outlined in the PDPA, including:

  • Keeping all processed data confidential
  • Honoring any requests you make to delete or return consumers' personal data, unless the law requires the data processor to retain the data
  • Providing you with all the information the data processor possesses to prove that it is in compliance with the law
  • Ensuring that all subcontractors meet the same contractual standards

You will also need to have an independent assessment done of any third-party data processors' privacy practices.

You can include a third-party clause within your Privacy Policy to inform consumers about the measures you take to keep their data secure when working with third-party data processors.

The Sharing and Disclosing Data section of Perrigo's (a health solutions company) Privacy Notice lets users know that its third party service providers are required to comply with any applicable privacy laws, and that they must keep the personal data they process secure:

Perrigo Privacy Policy: Who we may share personal data with clause excerpt

Register Data Brokers

Data brokers are businesses that sell or share the personal information they collect to third parties. The PDPA requires all data brokers to register with the Attorney General.

Section 17 of the PDPA explains the registration requirements for data brokers:

Michigan PDPA Section 17: Data broker

Respond to Consumers' Data Requests

The PDPA requires applicable organizations to respond to consumers' requests concerning their personal data. Consumers have the following rights under the Act:

  • The right to be informed as to whether their data is being processed
  • The right to access their personal data
  • The right to correct inaccuracies in their personal data
  • The right to delete their personal data
  • The right to obtain a portable and accessible copy of their personal data
  • The right to opt out of the processing of their personal data for targeted advertising, the sale of their data, or the use of their data for profiling purposes

You should have a process in place for responding to consumer requests regarding their personal data in a timely and secure manner.

Williams International uses its Privacy Policy to inform users how they can exercise their rights:

Williams International Privacy Policy: User rights clause excerpt

Penalties for Noncompliance

The Michigan Attorney General will give organizations that are found to be in violation of the PDPA a 30-day notice to correct violations.

If the violations are not cured within the 30-day time period, then the offending organization will be subject to fines of up to $7,500 per violation.

Data brokers that aren't registered with the Attorney General can be fined up to $100 for each day they fail to register.

Summary

The Michigan Personal Data Privacy Act (PDPA) is a bill that requires applicable businesses to take specific steps to protect Michigan consumers' personal data.

The PDPA applies to businesses that provide goods or services to Michigan residents and either control or process personal data belonging to 100,000 or more Michigan consumers or control or process personal data belonging to 25,000 or more Michigan residents and get more than 50% of their revenue from selling personal information.

Organizations that are exempt from the PDPA include those subject to the Gramm-Leach-Bliley Act, HIPAA, or the Fair Credit Reporting Act, as well as state agencies, higher education institutions, and nonprofit dental care organizations.

In order to comply with the PDPA, you will need to:

  • Only collect personal data essential to your business's functioning
  • Keep the data you collect secure
  • Notify third parties when a consumer opts out of having their personal data processed
  • Post your Privacy Policy on your website and apps
  • Give consumers a way to exercise their rights
  • Get users' consent before processing their personal data
  • Give consumers opt-out and opt-in options
  • Conduct data protection impact assessments when you collect or process certain types of data
  • Contract with legitimate third-party data processors that keep the data they collect secure
  • Make sure you are registered with the Attorney General if you sell or share the personal data you collect
  • Respond to consumers' data-related requests

Penalties for noncompliance with the PDPA are $7,500 per violation. Data brokers that fail to register with the Attorney General can be fined $100 per day.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy